(I apologise. I'm so incensed by this subject that I've (possibly) got a bit carried away and this post has ended being rather longer than I intended. It's still worth reading though, trust me.)
I've said previously that I would post something about PNR data and, as it happens, a decent/appropriate 'hook' has arrived in the shape of
a truly chilling and scandalous debate in the House of Lords this past Thursday. It was a 'doubled-up' debate on two Reports - one on PNR data and the other on the Prum Treaty, a subject I was not particularly familiar with but which looks, at first blush, as if it could be even worse than PNR data - from the European Union Home Affairs Committe and I invite you, dear reader, to digest it at your leisure - and the original Report(s) (PNR data
here and the Prum Treaty
here) together with the Government's Responses (
here and
here respectively).
Given the importance of the subject matter, it was disappointing (to say the least) that there were so few speakers - and that tells its own story about the quality of scrutiny to which the current government is subjected - although, to be charitable, it could be that the business managers deliberately scheduled the debate for late on a Thursday when the vast majority of the old duffers have already quit the asylum for the week-end. Mind you, the membership of the Upper House (with one or two notable exceptions) isn't exactly renowned for its grasp of matters technological and that may have had something to do with it too. In these circumstances, those who did participate (Lords Wright of Richmond, Jopling, Harrison, and Marlesford, and Baronesses Ludford, Harris of Richmond, and Neville-Jones) deserve an especial honourable mention in despatches, not least because, to a man, they gave The Admiral (Lord West of Spithead and the Minister with the dubious honour of responding to the debate) a right royal mauling and roasting (albeit in a very lordly way). I almost (but not quite) feel sorry for the old sea dog having drawn the short straw on this one - surely not what he expected when he decided to draw the Government's shilling.
Now many people will imagine that PNR data is just one of those rather arcane and esoteric things that governments do - the standard "nothing to hide, nothing to fear" argument. But anyone who's travelled to the US and experienced the US-VISIT data collection programme first hand will know that the variety and extent of information required (including credit card details,&c) is profoundly intrusive, if you will an extensive 'electronic footprint' of the indivual concerned. Speaking for myself, I'm not at all sanguine about governments compiling such extensive information about me, partly because of their staggering incompetence in administering and securing that data (viz: the HMRC debacle) and partly because, in fact, I have a prior and enforceable right to privacy, a right which is constantly being salami-sliced by government, the very institution that should have, as one of its primary responsibilities, the duty of protecting it!
Manifestly use of PNR data is a circumstance where the right to privacy is being serially compromised and emasculated. I won't regale you, dear reader, with a full history of the whole sorry saga. By all means, read the debate and the Reports(s) for that sort of detail and draw your own conclusions about how we've arrived at the ordure we're now in and who/what is to blame for getting us there. (Wendy Grossman has a v.useful analysis of the whole shambles
here.) It is enough to say that those ham-fisted EU negotiators have managed to botch the agreement with the US so that we now have fewer data protection safeguards than previously. Incidentally, Lord Wright of Richmond was explicit about this; in the debate he says:
"the worst possible conclusion would be an agreement that again was accompanied by a letter allowing the United States to disregard its provisions almost at will. Yet this is precisely what emerged in July from the negotiations."
QED.
In addition - and this is one of the things about all this that really makes my blood boil - the agreement is almost certainly of questionable legality. I'll give just two examples. First, as I understand it, UK data protection law (derived from an EU directive and so the same provisions should apply at the pan-European level) requires that processing of data must be limited to the purpose for which it was originally collected. The singular purpose of the US-VISIT programme at its inception was as a counter-terrorism measure - and, in fact, there are exemptions (what a surprise!) on the face of the DPA allowing processing for the purposes of national security, &c. So far so good. But, over the years, that hoary old chestnut 'function creep' has sidled on to the scene. So the new agreement with the US seems to allow processing for general crime, 'communicable diseases', &c purposes, that is to say a whole bunch of things way beyond what was originally intended by the programme itself and way beyond what appears to be sanctioned by EU-wide data protection law. Secondly, there is a general presumption in law that our data will not be sent to third party countries where the data protection regime is weaker or inferior to the standards established in the EU - although again I think there may be an exemption for national security. The US is such a place and it follows therefore that there should be a presumption against the transfer of data there for general processing purposes. But this is precisely what the new agreement allows for. Needless to say there are other areas where the agreement may well breach the spirit, if not the letter of the DPA. Little wonder therefore that the European Data Protection Supervisor and national data protection authorities have been so lukewarm about the subject. As Lord Wright of Richmond puts it:
"Our views were and are shared by the equivalent committee of the European Parliament, by the European data protection supervisor and his deputy, who gave us written and oral evidence, and by the working party of national data protection supervisors, which, of course, includes among its members this country’s Information Commissioner, Mr Richard Thomas."
To cap it all, our lords and masters (throughout the EU) appear to imagine that a letter - a mere letter, for crying out loud!!! - from the US Department of Homeland Security (presumably
this one) is an adequate legal foundation for the whole agreement. No legally enforceable treaty, no memoranda of understanding or what-have-you. No, just a letter! So, if we, the citizens of the EU, fall foul of the programme for any reason, we are expected to rely on the reassurances contained in this letter (and I wouldn't mind betting it's not worth the paper it's printed on) as our means of legal redress. And the Admiral's take on all this? Well, when asked during the debate by Baroness Ludford whether this letter was "legally binding" his reply was: " ... perhaps I may get back in writing to the noble Baroness on that specific point. I am not clear on it myself." WTF?!!? He's a Minister of the Crown, for heaven's sake. He should know the answer to such a basic question. And, if he doesn't, what on earth is our Government up to entering into an agreement with a foreign power when it's not even certain of its legal efficacy? You couldn't make it up!
Of course what makes all of this so much worse is that the whole sorry mess has been stitched up behind closed doors. Both the EU/US agreement on PNR data and the Prum Treaty were achieved (Lord Wright of Richmond again):
" ... with no consultation, no explanatory memorandum, no impact assessment, no overall evaluation of the operation of the treaty, no estimate of the cost to member states and minimal involvement of the European Parliament and national parliaments."
No, the power-crazed gauleiters within both the Commission and the governments of the Member States have just decided that the agreement, with all its manifest failings and flaws, is good for us so we have to like it or lump it. As Baroness Ludford puts it:
"Governments, Ministers and national officials are giving themselves arrogant licence to do what they like and then try to pull the wool over our eyes."
Now, even those who view the collection of all this information with equanimity should be able to concede that this is unacceptable. It is just so profoundly undemocratic.
But (and I find this almost impossible to credit) it gets worse. Not content with comprehensively screwing up the agreement with the US, in their arrogance our lords and masters have concluded that they would like their own VISIT-type programme to play with. According to
this article from John Lettice in The Register, a Framework Decision has already been made (on 6th November) with the intention of implementing an EU-wide version of the US-VISIT programme, possibly even extending to internal flights (something that was
first mooted by the UK Presidency of the EU in the wake of the London bombings back in 2005; i.e. the UK Government's fingerprints are all over this shoddy state of affairs). (Of course this could explain why the bungled EU negotiations with the US were so inadequate and pusillanimous!) Nor is this idiocy confined to the EU. Those excellent chaps over at
Privacy International have been
up in arms about the fact that the Japanese Government is pulling the same trick.
Now, don't get me wrong. I fully recognise that there is a legitimate argument in favour of harnessing the power of IT (and especially databases) for the purposes of the greater good - specifically in this instance countering terrorism. I can even recognise that the requirements of national security might necessitate witholding organisational details of any programme set up for such a purpose. But others have said this before me - and far more eloquently. The whole point about fighting 'The War on Terror' (their words, not mine) is to protect our rights and liberties. But the palaver surrounding PNR data is a classic example of those rights and liberties being ridden roughshod over, if not trampled underfoot. The fundamental point is that the underlying policy that gives effect to PNR data programmes has to be subject to public consent. It has to be open to scrutiny and fully transparent and accountable. If it is not, it is utterly draconian and, in terms, permits 'the terrorist' to claim some form of victory. Bluntly, why should we expose ourselves to what amounts to unacceptable risk and inconvenience (in respect of the data about ourselves) without some say, however small, in the matter?
It is not as if the utility of PNR data is a given. As Privacy International point out in
their letter to the Japanese Government, belated and limited scrutiny of the US-VISIT programme has revealed that, amongst other things:
"expenditures continue on projects that 'are not well-defined, planned, or justified on the basis of costs, benefits, and risks';
"'management controls to identify and evaluate computer and operational problems were insufficient and inconsistently administered';
"'contracts have not been effectively managed and overseen';
"security 'weaknesses collectively increase the risk that unauthorized individuals could read, copy, delete, add, and modify sensitive information, including personally identifiable information'; and
According to the chairman of the U.S. Senate Homeland Security Committee, Senator Joseph Lieberman, the U.S. government 'is spending $1.7 billion of taxpayer money on a program to detect potential terrorists crossing our borders yet it isn't taking the most basic precautions to keep them from hacking into and changing or deleting sensitive information.'"
Nor in fact is the output of PNR data programmes especially useful. As John Lettice points out - and I've no reason to doubt the figures - "out of 63 million visitors [subject to the US-VISIT programme] the DHS detected a whole 1,200 criminals and immigration violators. It is also thought that one person was detained in connection with terrorism, but it's not known what crime, if any, might have been involved, and what happened." In other words, so far as the primary purpose of the policy (i.e. countering terrorism) is concerned there is a 1 in 63 million chance that the system will throw up what might just, conceivably, be a positive and/or useful result. (As an aside, there is a read-across here to the UK Government's plans for ID cards as the total registrable population will be round about this sort of number. And, as I've blogged previously in the context of the IPS database, this raises the spectre of any PNR database - mark you, it would be pan-European rather than just being confined to the UK- being used as a substitute for the National Identity Register should ID cards be scrapped.) Now, I ask you, dear reader, whether you can discern any sort of proportionality in this sort of outcome?
All in all this sorry mess confirms for me beyond peradventure that I am right to be profoundly distrustful of letting the Government manage or administer my personal information in any way whatsoever. And I can't help feeling that it serves as a stark metaphor for so much that is wrong with the political process in our modern age. If governments are going to be so contemptuous and disdainful of its citizens and their legitimate rights as this sordid saga suggests, is it any wonder that they feel provoked to return the favour? Against the background of this sort of behaviour, purportedly acting in our 'democratic' interest, I say enough is enough and a plague on all your houses!!!
Footnote: A few days prior to the debate, the Admiral, in a written answer, referred to "travel document information" and "other passenger information" (with the acronyms "TDI" and "OPI" respectively) in the context of the UK's e-borders scheme. Now I've no idea whether these are an enitirely ne invention, equivalent to PNR data, or whatever. But it does seem like a classic way of muddying the waters by giving and old (but discredited) 'friend' a new nickname!